The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The nlm login command is documented to perform "Browser cookie extraction" to facilitate authentication. Extracting cookies from a user's browser is a high-risk operation that accesses sensitive session credentials.
[DATA_EXFILTRATION]: The skill is designed to move local project data to external cloud-hosted notebooks. This occurs through several mechanisms:
Automated synchronization via the PowerShell script .claude/hooks/scripts/notebooklm-sync.ps1, which exports commit messages, file change lists, and test results after every build.
Manual or programmatic upload of local files and text content using nlm source add commands.
[COMMAND_EXECUTION]: The skill incorporates multiple shell execution points:
The /notebooklm-bootstrap command, which installs the notebooklm-mcp-cli tool from an external source.
The execution of PowerShell scripts (notebooklm-sync.ps1) triggered automatically by build or git hooks.
Python script execution (scripts/validate-notebooks.py) for local configuration management.
[PROMPT_INJECTION]: The skill includes core directives that explicitly override default agent behavior, such as "Never skip the notebook and go straight to web search" and "Never dump full docs into context."
[DATA_INGESTION_RISK]: As per Category 8 (Indirect Prompt Injection), the skill exhibits a significant attack surface:
Ingestion points: Data enters the agent context through nlm notebook query results (SKILL.md).
Boundary markers: The skill lacks explicit delimiters or instructions to ignore potential commands embedded within the retrieved notebook data.
Capability inventory: The agent possesses file-read, file-write, and shell execution (nlm) capabilities across its scripts (SKILL.md, notebooks.json).
Sanitization: There is no evidence of sanitization or validation of the content retrieved from external notebooks before it is processed by the agent.

notebooklm-second-brain